b"TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                         While the Financial Institution\n                        Registration System Deployed on\n                      Time, Improved Controls Are Needed\n\n\n\n                                     September 30, 2014\n\n                             Reference Number: 2014-20-094\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\nRedaction Legend:\n2 = Risk Circumvention of Agency Regulation or Statute\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                   HIGHLIGHTS\n\n\nWHILE THE FINANCIAL INSTITUTION                        signature process is as reliable as is appropriate\nREGISTRATION SYSTEM DEPLOYED ON                        for the intended purpose.\nTIME, IMPROVED CONTROLS ARE                            WHAT TIGTA FOUND\nNEEDED\n                                                       The IRS deployed FRS Release 1.1 in\n                                                       December 2013 to provide functionality to\nHighlights                                             Foreign financial institutions and authorized IRS\n                                                       employees. Our review found that the IRS has\nFinal Report issued on                                 not yet: (1) approved and implemented FRS\nSeptember 30, 2014                                     business performance measures; (2) completely\n                                                       traced FRS system-specific security\nHighlights of Reference Number: 2014-20-094            requirements to security controls, test cases,\nto the Internal Revenue Service Chief                  and test results; (3) fully evaluated the risks of\nTechnology Officer and the Commissioner,               using electronic signatures for registration forms;\nLarge Business and International (LB&I)                (4) fully documented FRS system access\nDivision.                                              controls design, implementation, and\n                                                       functionality; (5) ***********2**********\nIMPACT ON TAXPAYERS                                    ***********************2*******************************\n                                                       *****2*********; and (6) integrated an automated\nThe deployment of the Financial Institution            tool suite to enable effective requirements\nRegistration System (FRS) supports provisions          management.\nof the Foreign Account Tax Compliance Act\n(FATCA). Taxpayers meeting the reporting               WHAT TIGTA RECOMMENDED\nrequirements threshold began reporting their\nforeign financial assets on Form 8938,                 The Chief Technology Officer should\nStatement of Specified Foreign Financial Assets,       (1) implement business performance measures\nbeginning with the 2012 Filing Season. Foreign         to quantify the benefits of the IRS\xe2\x80\x99s FRS\nfinancial institutions are required to report to the   investment; (2) completely trace FRS\nIRS information about financial accounts that          system-specific security requirements to\nexceed certain thresholds held by U.S.                 controls, test cases, and test results to ensure\ntaxpayers or foreign entities in which U.S.            security requirements are fully tested prior to\ntaxpayers hold a substantial ownership interest.       deployment; (3) determine whether a particular\nWithholding agents will withhold a 30 percent tax      technology and set of procedures for electronic\non taxpayers who fail to properly report specified     signatures as selected are as reliable as is\nfinancial assets related to U.S. investments.          appropriate for the intended purpose;\nExpenditures for FRS development totaled               (4) document system access controls in\napproximately $16.7 million for Fiscal Year 2011       sufficient detail to permit analysis and testing;\nthrough Fiscal Year 2013. In Fiscal Year 2014,         (5)******************2********************************\nfunding available for the FATCA Program was            *******************2**************************; and\n$46.6 million.                                         (6) apply integrated automated tools to manage\n                                                       FATCA systems requirements traceability.\nWHY TIGTA DID THE AUDIT                                TIGTA also recommends that the\n                                                       Commissioner, LB&I Division, complete a risk\nOur objective was to determine whether the IRS         analysis and cost-benefit analysis to assess the\nInformation Technology organization has                likelihood and cost of not implementing\nadequately mitigated systems development risks         enforceable electronic signatures.\nfor the FRS. TIGTA reviewed risk management\nprocesses, the FRS solution architecture,              The IRS agreed with two recommendations but\nSystems Acceptability Testing results, security        disagreed with five recommendations related to\ntesting results, and access controls implemented       security requirements traceability, electronic\nfor users of the FRS. TIGTA also assessed IRS          signatures, security access controls, and\nactions taken to ensure that the FRS electronic        integrating automated requirements\n                                                       management tools.\n\x0c                                             DEPARTMENT OF THE TREASURY\n                                                  WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                          September 30, 2014\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n                COMMISSIONER, LARGE BUSINESS AND INTERNATIONAL\n                DIVISION\n\n\n FROM:                       Michael E. McKenney\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 While the Financial Institution Registration\n                             System Deployed on Time, Improved Controls Are Needed\n                             (Audit # 201420013)\n\n This report presents the results of our review of the Financial Institution Registration System\n (FRS). The overall objective of this review was to determine whether the Internal Revenue\n Service (IRS) Information Technology organization has adequately mitigated systems\n development risks for the Foreign Account Tax Compliance Act FRS. This audit is our\n second review of the IRS\xe2\x80\x99s system development activities for the FRS and is included in our\n Fiscal Year 2014 Annual Audit Plan. Our review addresses the major management challenges\n of Implementing Major Tax Law Changes, Globalization, and Security for Taxpayer Data and\n Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Danny Verneuille, Acting\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                                While the Financial Institution Registration System\n                                Deployed on Time, Improved Controls Are Needed\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 9\n          Earlier Business Performance Measures Would Strengthen\n          the System Development Process ................................................................. Page 9\n                    Recommendation 1:........................................................ Page 10\n\n          System-Specific Security Requirements Must Be Traced to\n          Test Cases and Test Results to Ensure Secure Deployment ......................... Page 10\n                    Recommendation 2:........................................................ Page 12\n\n          Actions Are Needed to Evaluate Risks With Electronic\n          Signatures for New Registration Forms ........................................................ Page 13\n                    Recommendation 3:........................................................ Page 15\n\n                    Recommendation 4:........................................................ Page 16\n\n          Improvements in System Access Controls Are Needed to\n          Ensure Confidentiality and Data Integrity .................................................... Page 16\n                    Recommendations 5 and 6: .............................................. Page 18\n\n          Improved Traceability of System Requirements to Testing\n          Can Be Achieved Through Available Automated Tools .............................. Page 19\n                    Recommendation 7:........................................................ Page 20\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 21\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 24\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 25\n          Appendix IV \xe2\x80\x93 Glossary ............................................................................... Page 26\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 31\n\x0c         While the Financial Institution Registration System\n         Deployed on Time, Improved Controls Are Needed\n\n\n\n\n                    Abbreviations\n\nFATCA        Foreign Account Tax Compliance Act\nFFI          Foreign Financial Institution\nFI           Financial Institution\nFRS          Financial Institution Registration System\nFY           Fiscal Year\nGIIN         Global Intermediary Identification Number\nIGA          Intergovernmental Agreement\nIRS          Internal Revenue Service\nIT           Information Technology\nLB&I         Large Business and International\nNIST         National Institute of Standards and Technology\nPII          Personally Identifiable Information\nPMO          Program Management Office\nReqPro       Rational RequisitePro\nRQM          Rational Quality Management\nSAT          Systems Acceptability Testing\nSCA          Security Controls Assessment\nSP           Special Publication\nTIGTA        Treasury Inspector General for Tax Administration\n\x0c                            While the Financial Institution Registration System\n                            Deployed on Time, Improved Controls Are Needed\n\n\n\n\n                                             Background\n\nThe Foreign Account Tax Compliance Act (FATCA)1 Program is an important development in\nthe Internal Revenue Service\xe2\x80\x99s (IRS) efforts to improve U.S. tax compliance involving foreign\nfinancial assets and offshore accounts. In 2010, Congress enacted the FATCA legislation as part\nof the Hiring Incentives to Restore Employment Act2 to:\n    \xef\x82\xb7    Combat tax evasion by U.S. persons holding investments in offshore accounts.\n    \xef\x82\xb7    Expand the IRS\xe2\x80\x99s global presence.\n    \xef\x82\xb7    Pursue international tax and financial crimes.\n    \xef\x82\xb7    Fill a gap in the IRS\xe2\x80\x99s information reporting system.\n    \xef\x82\xb7    Generate additional enforcement revenue.\nThe FATCA legislation directly affects three key groups:\n    \xef\x82\xb7    Taxpayers. Taxpayers meeting the reporting requirements threshold must report their\n         foreign financial assets on Form 8938, Statement of Specified Foreign Financial Assets,\n         as an attachment to their Federal income tax returns beginning with the 2012 Filing\n         Season.3\n    \xef\x82\xb7    Foreign Financial Institutions (FFI). FFIs include any non-U.S. entity that accepts\n         deposits, holds financial assets, or engages in the business of investing, including foreign\n         banks, foreign branches of U.S. banks, and businesses organized under a foreign law that\n         would be a securities broker-dealer if located in the U.S. (e.g., money transmitter,\n         currency exchanger). FFIs are required by the FATCA to report to the IRS information\n         about financial accounts that exceed certain thresholds held by U.S. taxpayers or foreign\n         entities in which U.S. taxpayers hold a substantial ownership interest.\n    \xef\x82\xb7    Withholding Agents. Withholding agents will withhold a 30 percent tax on taxpayers\n         who fail to properly report specified financial assets related to U.S. investments.\n\n\n\n\n1\n  Pub. L. No. 111-147, Subtitle A, 124 Stat 71, *96-116 (2010) (codified in scattered sections of 26 U.S.C.).\n2\n  Hiring Incentives to Restore Employment Act (HIRE), Pub. L. No. 111-147, 124 Stat. 71 (2010).\n3\n  See Appendix IV for a glossary of terms.\n                                                                                                                Page 1\n\x0c                       While the Financial Institution Registration System\n                       Deployed on Time, Improved Controls Are Needed\n\n\n\nIRS Information Technology (IT) organization Program Management Office (PMO)\ngovernance\nWithin the IRS\xe2\x80\x99s IT organization, the Enterprise IT PMO is the IRS\xe2\x80\x99s systems integrator to\nmanage programs based on the Enterprise Life Cycle, ensuring coordination across information\ntechnology delivery partners and business stakeholders for\nsuccessful project delivery to production. The Enterprise\n                                                              The newly established FATCA IT\nIT PMO provides systems integration and has an emphasis       PMO managed the development\non major IRS business systems modernization programs           and deployment of the FRS and\nsuch as the Customer Account Data Engine 2, Modernized           will oversee future FATCA\ne-File, the Electronic Fraud Detection System, the Return       systems development efforts.\nReview Program, and the FATCA Program.\nThe FATCA IT PMO was established in January 2014 when the IRS approved the FATCA IT\nPMO\xe2\x80\x99s Program Management Plan. This office oversees the design, development, and\ndeployment of information technology projects to fulfill FATCA Program requirements. In\naddition, the FATCA IT PMO coordinates with IRS information technology project development\nleads and other IRS information technology delivery partners to manage the funding for FATCA\ndevelopment projects. Actual expenditures on Financial Institution (FI) Registration System\n(FRS) development totaled approximately $16.7 million for Fiscal Year (FY) 2011 through\nFY 2013. According to information provided by the IRS in preparing its FY 2015 Budget\nSubmission to Congress, FY 2014 funding available for the FATCA Program was $46.6 million.\nAccording to the FATCA IT PMO, the IRS will deliver FATCA systems development projects\nover a period of at least five years, from the initial development of the FRS in Calendar\nYear 2011 to the planned deployment of other FATCA systems in Calendar Year 2015. The\nFATCA IT PMO is responsible for designing, developing, and deploying FATCA projects to\nmeet the IRS\xe2\x80\x99s Large Business and International (LB&I) Division\xe2\x80\x99s business needs. Once these\nprojects are fully deployed, operations and maintenance duties for the FATCA systems will\ntransition to other operational units within the IT organization.\nFigure 1 provides a timeline of key milestones for the FATCA Program.\n\n\n\n\n                                                                                       Page 2\n\x0c                            While the Financial Institution Registration System\n                            Deployed on Time, Improved Controls Are Needed\n\n\n\n                        Figure 1: FATCA Program Deployment Timeline\n\n     Key Dates                                                  Description\n                     The IRS began accepting Form 8938. In Calendar Years 2012 and 2013, only U.S. individual\nJanuary 01, 2012     taxpayers were required to file Form 8938 and attach it to a Form 1040, U.S. Individual Income\n                     Tax Return, or Form 1040NR, U.S. Nonresident Alien Income Tax Return.\n                     The Department of the Treasury (Treasury) and the IRS issued final regulations and addressed\nJanuary 28, 2013\n                     FATCA Intergovernmental Agreements (IGA).\n                     The FATCA registration portal opened to the public. Paper registration Forms 8957, Foreign\nAugust 19, 2013\n                     Account Tax Compliance Act (FATCA) Registration, can also be used.\n                     Each financial institution should have finalized its registration information electronically in the\nJanuary 01, 2014\n                     FRS or by filing Form 8957 for paper registrations.\n                     FFIs and sponsoring entities must complete registration by this date to ensure inclusion on the\n    April 25, 2014\n                     initial IRS FFI List.\n                     The IRS published the initial FFI List, and monthly updates will follow. As of June 30, 2014,\n    June 02, 2014    the LB&I Division website reports that 77,000 FFIs have registered to date (includes online and\n                     paper, with and without Global Intermediary Identification Numbers (GIIN)).\n                     Withholding begins on U.S. payments to FFIs,4 nonfinancial foreign entities, and direct account\n    July 01, 2014    holders of participating FFIs using Form 1042, Annual Withholding Tax Return for U.S. Source\n                     Income of Foreign Persons.\nJanuary 01, 2015     FFI information reporting begins for reporting of Tax Year 2014.\n                     FFIs and sponsoring entities in non-IGA and Model 2 IGA countries are to file the first\n                     information reports for Tax Year 2014. As of June 30, 2014, Treasury recognizes that 39 IGAs\nMarch 15, 2015       have been signed; another 62 IGAs are under negotiation. Of the total 101 IGAs, 88 are Model 1\n                     agreements for which FFIs report to the IRS through their host country taxing authorities. The\n                     remaining 13 are Model 2 agreements for which the FFIs report directly to the IRS.\n                     FFIs and U.S. withholding agents are to file Form 1042-S, Foreign Person\xe2\x80\x99s U.S. Source\n                     Income Subject to Withholding, regarding withholding during Calendar Year 2014.\nMarch 31, 2015\n                     U.S. withholding agents may have a reporting obligation with respect to payments made to\n                     U.S.-owned nonfinancial foreign entities.\n                     Model 1 IGA reporting is due for Tax Year 2014. This includes reporting by host country\n    September 30,\n                     taxing authorities and reciprocal reporting by the U.S. via the International Data Exchange\n        2015\n                     Service.\nJanuary 31, 2016     The IRS plans to implement a full FATCA compliance program.\nSource: IRS LB&I Division FATCA timeline.\n\n\n4\n  If the FFI does not comply with the FATCA rules, beginning in 2014, \xe2\x80\x9cwithholdable payments\xe2\x80\x9d payable to it for\nboth its own account and on behalf of its customers will be subject to U.S. Federal income tax withholding.\nWithholdable payments include items of U.S.-source fixed or determinable, annual or periodical income, such as\ninterest and dividends, as well as gross proceeds \xe2\x80\x9cfrom the disposition of any property of a type which can produce\ninterest or dividends from sources within the United States.\xe2\x80\x9d\n                                                                                                                 Page 3\n\x0c                             While the Financial Institution Registration System\n                             Deployed on Time, Improved Controls Are Needed\n\n\n\nFigure 2 shows the multiple FATCA software development projects that the IRS plans to\ndevelop and implement between 2013 and 2015.\n                  Figure 2: Key FATCA Software Development Projects\n\n             Project                         Description of Related Steps and Capabilities\n\n                                     Register FFIs and issue a GIIN. Publish the approved IRS FFI List.\nFRS\n                                     Provides a search and download tool.\n\nTaxpayer Reporting \xe2\x80\x93 Form 8938 Provide taxpayers with the ability to update Form 8938 to facilitate\nTranscription                  taxpayer reporting.\n\n                                     Facilitate secure electronic submission, receipt, and exchange of\nInternational Data Exchange          FATCA data among financial institutions from many countries;\nService                              service is expected to accommodate an estimated 600,000 FIs,\n                                     including FFIs.\n\nInternational Compliance\n                                     Develop database and extract, transform, and load FATCA data.\nManagement Model\n\n                                     Process and track withholding deposits and associated reporting\nWithholding Payment Processing\n                                     from U.S. withholding agents and FIs.\n\n                                     Process returns with requests for refunds against withholding\nRefund Processing & Fraud\n                                     deposits. Implement processes to identify and prevent potential\nDetection\n                                     refund fraud.\n\n                                     Identify and integrate data elements for compliance case selection\nFATCA Compliance Strategy\n                                     and case management.\nSource: IRS LB&I Division.\n\nFigure 3 depicts the relationship and data integration points between the FATCA software\ndevelopment projects and information provided by the FFIs, withholding agents, and U.S.\naccount holders.\n\n\n\n\n                                                                                                   Page 4\n\x0c                           While the Financial Institution Registration System\n                           Deployed on Time, Improved Controls Are Needed\n\n\n\n       Figure 3: Relationship Among FATCA Software Development Projects\n\n\n\n\nSource: IRS LB&I Division FATCA conceptual diagram. HCTA = Host Country Taxing Authority.\nPFFIs = Participating FFIs.\n\nThe FRS\nThe FRS is intended to register those FFIs electing to comply with the U.S. FATCA legislation\nas well as to publish and maintain a list of participating FFIs for use by U.S. holders of overseas\naccounts, financial institutions, and other participating FFIs in determining withholding\nresponsibilities. Figure 4 provides an overview of FRS users and related system functionality.\n                                    Figure 4: FATCA FRS Users\n\n        FRS Users                                                 Description\n\n FFIs                        FFI staff will use the FRS to create, edit, and submit applications for registered FFI\n (Release 1.1 Drop 1)        status and receive notification of approval/disapproval. An FFI can create an account\n                             online, submit its FFI registration data, update its FFI account, receive notifications of\n                             events concerning registration or account actions, and read the IRS FFI List. The IRS\n                             issues GIINs to registered FFIs.\n\n Authorized IRS Employees    The IRS employees supporting the FFI registration function will use the system to\n (Release 1.1 Drop 2)        enter registration data, modify FFI accounts, run management reports, and extract\n                             data on FFIs for analysis.\n\n External Third Parties      U.S. withholding agents and approved FFIs will need to know whether FFIs are\n (Release 2)                 participating in the FATCA in order to determine if 30 percent withholding should be\n                             applied to payments to FFI accounts held or controlled by U.S. persons or entities.\nSource: FATCA Iterative Design Specification Report.\n\n                                                                                                              Page 5\n\x0c                         While the Financial Institution Registration System\n                         Deployed on Time, Improved Controls Are Needed\n\n\n\nThe FRS will provide several functions including user accounts, FFI agreements, and FFI\ncertifications. The user account function manages user accounts. The FFI agreements function\nconfirms input data and agreement type as entered by the FFI and ensures that the agreement is\nultimately signed. The FFI certification function ensures that FFIs certify to their status as a\ndeemed-compliant FFI by providing a withholding agent with the required documentation.\nFigure 5 provides an overview of system development activities and milestones for the FRS.\n       Figure 5: System Development Activities and Milestones for the FRS\n\n   FRS Development Activities                                                   Date\n\n   System development of the FRS started                                  April 25, 2011\n\n   FATCA regulations issued                                               February 8, 2012\n\n   FATCA IT PMO approved                                                  September 13, 2012\n\n   FRS Release 1.0 terminated                                             November 5, 2012\n\n   FRS Release 1.1 redesigned                                             January 7, 2013\n\n   Final FATCA regulations issued                                         January 28, 2013\n\n   Scope and schedule changes to develop FRS Release 1.1 approved         January 31, 2013\n\n   FRS Release 1.1 Drop 1 deployed                                        July 29, 2013\n\n   FRS Release 1.1 Drop 2 deployed                                        December 9, 2013\n\n   FFIs needed to finalize their registrations                            January 1, 2014\n\n   Form 8957 paper registrations accepted                                 January 1, 2014\n\n   Completed FFI registrations will be included in initial IRS FFI list   April 25, 2014\n\n   GIINs assigned to FFIs                                                 April 25, 2014\n\n   Initial IRS FFI List was published with monthly updates planned        June 2, 2014\n  Source: IRS IT organization, FATCA IT PMO, FRS timeline.\n\n\n\n\n                                                                                               Page 6\n\x0c                          While the Financial Institution Registration System\n                          Deployed on Time, Improved Controls Are Needed\n\n\n\nFRS architecture\n    *******************************2************************\n                     **************************************2***********************\n\xc2\xa0\n\n\n\n\n    *********************************************************************************************\n    *********************************************************************************************\n    *********************************************************************************************\n    *********************************************************************************************\n    *********************************************************************************************\n    *********************************************************************************************\n    *********************************************************************************************\n    *********************************************************************************************\n******************************************2**************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n\n\n********************************************2************************************************\n********************************************2************************************************\n********************************************2************************************************\n***********************2*******************************.\n\nThe IRS terminated FATCA FRS Release 1.0 in November 2012 due to scope changes resulting\nfrom the finalization of proposed FATCA regulations and IGA negotiations. The IRS IT\norganization subsequently redesigned and deployed FRS Release 1.1 Drop 1 in July 2013 on\nbehalf of FATCA\xe2\x80\x99s IRS business owner, the LB&I Division. Drop 1 provided functionality for\nFFIs to create an account via the Registered User Portal and submit a completed registration\n\n\n\n\n                                                                                           Page 7\n\x0c                          While the Financial Institution Registration System\n                          Deployed on Time, Improved Controls Are Needed\n\n\n\n(Form 8957). The Treasury Inspector General for Tax Administration (TIGTA) previously\nreported on systems development for the FRS in 2013.5\nThis review was performed at the IRS IT organization offices at the New Carrollton Federal\nBuilding in Lanham, Maryland. We obtained information from management and personnel in\nthe FATCA IT PMO, the Cybersecurity organization, and the LB&I Division offices in Lanham,\nMaryland, and in Washington, D.C. The review was performed during the period October 2013\nthrough July 2014. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n5\n TIGTA conducted a prior audit of FRS Release 1.1 Drop 1. TIGTA, Ref. No. 2013-20-118, Foreign Account Tax\nCompliance Act: Improvements Are Needed to Strengthen Systems Development Controls for the Financial\nInstitution Registration System (Sept. 2013).\n                                                                                                    Page 8\n\x0c                            While the Financial Institution Registration System\n                            Deployed on Time, Improved Controls Are Needed\n\n\n\n\n                                      Results of Review\n\nEarlier Business Performance Measures Would Strengthen the\nSystem Development Process\nWhile the IRS has begun developing business measures for the FRS since our last review, those\nmeasures were not yet in place to guide development for the FRS or before system deployment\nin December 2013. The Government Performance and Result Act Modernization Act of 2010\n(GPRAMA),6 however, emphasizes the importance of: (1) establishing annual performance\ngoals to define the level of performance; (2) expressing goals in an objective, quantifiable, and\nmeasurable form; (3) providing a description of how the performance goals are to be achieved;\nand (4) establishing a balanced set of performance indicators to be used in measuring or\nassessing progress toward each performance goal. These same performance measurement\nprinciples are reflected in IRM 2.16.1, Enterprise Life Cycle Guidance, which states that the\npurpose of the Business Solution Architecture Stage is to specify the business system\nrequirements and structure for a complete solution that implements the system concept and\nincludes an initial performance engineering model, e.g., measureable objectives.7 This policy\nalso requires that by the time an IRS system is deployed, a measurement system should be in\nplace to support assessment of the system\xe2\x80\x99s functional performance to achieve its stated business\nneeds.8 In addition, for adequate capital planning and investment management, the IRS is\nrequired to monitor capital investments to ascertain that planned quantitative and qualitative\nbenefits are realized.9\nThe IRS has employed an incremental delivery approach for FATCA information technology\nprojects and divided the FRS Project into two production releases, deployed in July and\nDecember 2013 respectively. However, performance measures were not in place for TIGTA\xe2\x80\x99s\nconsideration during our review of Drop 2. Further, the IRS has not yet implemented\nperformance goals and measures for FRS Release 1.1, Drop 1. Performance measures are\nneeded to support assessment of the system\xe2\x80\x99s functional performance to achieve its stated\nbusiness needs.\nIn February 2014, LB&I Division officials informed us that they were working on\nfive performance measures for the FATCA registration process and the associated FFI List\nsearch and download tool; two measures pertain to the LB&I Division and three pertain to the\nFATCA IT PMO. LB&I Division officials explained that a working group has been tasked with\n\n6\n  Pub. L. No. 111-352, 124 Stat. 3866 (Jan. 4, 2011).\n7\n  IRM 2.16.1.2.3.3.5, Business Solution Architecture Stage (Sept. 4, 2010).\n8\n  IRM 2.16.1.2.3.3.12, Deployment Stage (Aug. 3, 2008).\n9\n  IRM 2.16.1.2.6.8, Strategy and Capital Planning (Sept. 4, 2010).\n                                                                                           Page 9\n\x0c                        While the Financial Institution Registration System\n                        Deployed on Time, Improved Controls Are Needed\n\n\n\nfully developing these measures and ensuring that the measures are tracked once the following\nthree FRS components became operational in June 2014, i.e., registration, publication of the\nFFI List, and backend processing to screen applicants to determine if they are on an excluded\ncountry listing.\nIt has been almost a full year since the first delivery of FRS functionality, and the IRS has not yet\ndetermined expected benefits from this significant information technology investment. Further,\nwe believe that future FATCA system development efforts would benefit from the earlier\npartnering of the LB&I Division with the IRS IT organization to develop and publish\nperformance measures which will ensure that adequate governance is in place to align\ninformation technology strategy with business strategy and to measure the effectiveness and\nefficiency of FATCA information technology investments.\n\nRecommendation\nRecommendation 1: The Chief Technology Officer should ensure that the IRS IT\norganization and the LB&I Division coordinate to timely develop and implement adequate\nbusiness performance measures to quantify net benefits for information technology investments\nin support of the FATCA.\n       Management Response: The IRS agreed with this recommendation, stating that the\n       Commissioner, LB&I Division, is responsible for the business measures for the FATCA\n       FRS and has developed these measures. The Chief Technology Officer agreed to\n       incorporate these measures in the IRS\xe2\x80\x99s FY 2016 budget submission.\n       Office of Audit Comment: Business performance measures are important to measure\n       and quantify the net benefits of the IRS\xe2\x80\x99s information technology investment in the\n       FATCA FRS. While the IRS reported that it had developed measures for the FATCA\n       FRS, these business measures were not made available to TIGTA for review. Although\n       the IRS has agreed to incorporate the measures into the FY 2016 budget submission,\n       TIGTA believes that the IRS\xe2\x80\x99s corrective actions should focus on implementing business\n       performance measures and assessing the system\xe2\x80\x99s performance.\n\nSystem-Specific Security Requirements Must Be Traced to Test Cases\nand Test Results to Ensure Secure Deployment\nAs a part of the security assessment and authorization process, the IRS Cybersecurity\norganization conducted a FATCA FRS event-driven Security Controls Assessment (SCA) prior\nto FRS Release 1.1 Drop 2 deployment to ensure that the FRS\xe2\x80\x99s security controls were in place\nand functioning as intended. The Cybersecurity organization issued its FRS Security\nAssessment Report on November 22, 2013. The event-driven SCA included analysis and testing\nof key nontechnical and technical security controls that had changed from FRS Release 1.1\nDrop 1 to Release 1.1 Drop 2. The purpose of the event-driven SCA was to ensure that the\n\n                                                                                             Page 10\n\x0c                           While the Financial Institution Registration System\n                           Deployed on Time, Improved Controls Are Needed\n\n\n\nFATCA FRS met the established security controls in accordance with National Institute of\nStandards and Technology (NIST) Special Publication (SP) 800-53 (NIST SP 800-53),\nRevisions 3 and 4.10 The FATCA FRS Application System Security Plan, hereafter referred to as\nthe System Security Plan, addressed NIST SP 800-53 security controls, and the FATCA SCA\ntraced NIST security controls to test cases and test results.\nNIST SP 800-53 also provides direction for managing Federal information systems using a\nsystem development life cycle methodology that includes information security considerations.\nThe NIST document is cross-referenced to the International Organization for Standardization\xe2\x80\x99s\nguidance on controls pertaining to information systems development and particularly security\nrequirements analysis and specification. In addition, IRS IRM 2.127.2, Software Testing\nStandards and Procedures \xe2\x80\x93 IT Software Testing Process and Procedures, provides guidelines\nfor developing system requirements and requires bidirectionally tracing those requirements to\ntheir sources and test cases, executing the test cases, recording test results, and tracing the test\ncases to the test results.11 IRM 10.8.1, Information Technology Security, Policy and Guidance,\nalso emphasizes integrating security into an IRS-approved systems development life cycle.12\nThis policy stipulates that: (1) security requirements shall be incorporated into the system\nrequirements and (2) security requirements shall be tracked, updated, and validated throughout a\nsystem\xe2\x80\x99s life cycle.\nNIST SP 800-3713 stresses that security requirements are a subset of the overall functional and\nnonfunctional (e.g., quality, assurance) requirements levied on an information system and are\nincorporated into the system development life cycle simultaneously with the functional and\nnonfunctional requirements. This special publication recognizes that without the early\nintegration of security requirements, significant expense may be incurred by the organization\nlater in the life cycle to address security considerations that could have been included in the\ninitial design. The NIST stresses that when security requirements are considered as an integral\nsubset of other information system requirements, the resulting system has fewer weaknesses and\ndeficiencies and, therefore, fewer vulnerabilities that can be exploited in the future. As such,\nthese actions are needed to ensure that systems, including the FRS, adequately address unique\nrisks and operate as intended long-term based on established system-specific security\nrequirements.\nWhile the IRS traced NIST security controls to test cases and test results, it did not trace FRS\nsystem-specific security requirements to security controls, test cases and test results prior to\n\n\n10\n   NIST, NIST SP 800-53 Rev. 3, Information Security: Recommended Security Controls for Federal Information\nSystems and Organizations (Aug. 2009). Also, NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal\nInformation Systems and Organizations (April 2013) (includes updates as of Jan. 15, 2014).\n11\n   IRM 2.16.1, Enterprise Life Cycle Guidance (April 25, 2012).\n12\n   IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance (May 3, 2013).\n13\n   NIST, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information System\n(Feb. 22, 2010).\n\n                                                                                                      Page 11\n\x0c                        While the Financial Institution Registration System\n                        Deployed on Time, Improved Controls Are Needed\n\n\n\ndeployment. The IRS indicated that while there was no assurance that all FRS security\nrequirements were tested as part of its security testing, 100 percent of all applicable\nNIST SP 800-53 security controls were tested in the SCA before the FRS Project received its\nfinal authorization to operate in November 2013. We believe that if security test case\ndevelopment, security control traceability, and security testing focuses only on required\nNIST SP 800-53 security controls, unique FRS security requirements could go untested. This\ncould have an adverse impact on FATCA system functionality and operations. Moreover,\nverification of system-specific security requirements are needed to mitigate unique risks for\nFATCA systems regarding the threat of unauthorized access or modification of Personally\nIdentifiable Information (PII) and other sensitive data.\n\nRecommendation\nRecommendation 2:\xc2\xa0\xc2\xa0The Chief Technology Officer should ensure that system-specific\nsecurity requirements are traced to test cases and test cases to test results to ensure the\ncompleteness of FRS security testing. This will also provide assurance that adequate\nsystem-specific security will be in place throughout the life cycle of the FRS.\n       Management Response: The IRS disagreed with this recommendation. The IRS\n       stated that TIGTA did not provide any FRS-specific security test cases to the IRS as\n       examples of this deficiency. Instead, TIGTA presented the recommendation based on a\n       one-time initiative taken by the Customer Account Data Engine 2 project wherein every\n       NIST security control had been traced in some manner to some type of testing and\n       included in the security documentation. This is not a standard practice within the IRS.\n       Office of Audit Comment: NIST guidance cites three different types of security\n       controls, including system-specific, common, and hybrid controls. System-specific\n       security controls are controls that are unique to the application. TIGTA is concerned that\n       FATCA FRS\xe2\x80\x99s system-specific security requirements were not sufficiently traced to\n       security controls, test cases, and test results; this key system development control is\n       needed to ensure that FATCA system-specific security requirements are adequately tested\n       prior to deployment. IRS policy requires all system requirements, including security\n       requirements, to be traced to test cases and test results. The IRS needs to reassess the\n       methodology it uses to implement this policy because its current methodology appears\n       incomplete as the IRS only traces security controls to test cases and test results, not\n       system-specific security requirements to controls, to test cases, and to test results. Given\n       the lack of full traceability of security controls, the IRS cannot be assured that FATCA\n       system-specific security requirements are fully tested prior to deployment. The IRS\n       management response states that TIGTA did not find any specific examples of this\n       control weakness. TIGTA notes that the scope of our system development review did not\n       include a detailed analysis or validation of all FRS system requirements, including\n       system-specific security requirements. We considered the risk mitigation controls\n\n                                                                                           Page 12\n\x0c                           While the Financial Institution Registration System\n                           Deployed on Time, Improved Controls Are Needed\n\n\n\n        applied by the IRS to ensure adequate development and testing of FRS requirements,\n        including requirements for security, as required by both IRS policy and by the NIST\n        criteria that is referenced in the report.\n\nActions Are Needed to Evaluate Risks With Electronic Signatures for\nNew Registration Forms\nIn January 2014, the IRS FATCA FRS website began allowing FFIs to file Forms 8957\nelectronically from anywhere in the world without the need to print, complete, and mail paper\nforms. As of July 17, 2014, approximately 99 percent of Forms 8957 were filed electronically.\nForm 8957 requires users to check an on-screen box and manually key in their name to indicate\ntheir electronic signature; the names are not verified to data on file. TIGTA asked the IRS to\nprovide its risk analysis assessing whether the FATCA signature process is sufficiently reliable.\nThe IRS informed us that a risk assessment for using electronic signatures in the FRS had not\nbeen completed during FRS development. During interviews with the FATCA IT PMO,\nEnterprise Services function, Solution Engineering function, and LB&I Division representatives,\nIRS officials also informed us that neither the LB&I Division nor the FATCA IT PMO have\nidentified electronic signature requirements for the FRS.\nThe use of electronic signatures in transactions involving Federal agencies is primarily governed\nby one of the following laws: the Government Paperwork Elimination Act14 or the Electronic\nSignatures in Global and National Commerce Act.15 The Government Paperwork Elimination\nAct requires that, when practicable, Federal agencies use electronic forms, electronic filing, and\nelectronic signatures to conduct official business with the public by 2003. It further encourages\nFederal Government use of a range of electronic signature alternatives.16 The Electronic\nSignatures in Global and National Commerce Act, enacted June 30, 2000, facilitates the use of\nelectronic records and signatures in foreign commerce. In January 2013, a report titled Usage of\nElectronic Signature in the Federal Government 17 provided important guidance on the use of\nelectronic signatures and encouraged adherence to these laws. This guidance pertains to the use\nof electronic signatures for legal signing purposes in the context of electronic transactions. A\nsignature, whether electronic or on paper, is the means by which a person indicates an intent to\nassociate himself with a document in a manner that has legal significance. Key provisions of the\nJanuary 2013 guidance follows.\n\n\n\n\n14\n   Pub. L. 105\xe2\x80\x93277 Title XVII.\n15\n   Pub. L. 106\xe2\x80\x93229, 114 Stat. 464, enacted June 30, 2000, 15 U.S.C. ch. 96.\n16\n   OMB Circular A-130, Management of Federal Information Resources, Appendix II, Implementation of the\nGovernment Paperwork Elimination Act (Nov. 2000).\n17\n   Uniform Electronic Transactions Act, approved by the National Conference of Commissioners on Uniform State\nLaws on July 23, 1999, adopted by 47 states as of November 2010.\n                                                                                                      Page 13\n\x0c                       While the Financial Institution Registration System\n                       Deployed on Time, Improved Controls Are Needed\n\n\n\nElectronic Signature Guidance to Federal Agencies:\n   1. Determine whether an electronic signature is necessary. The organization should\n      determine whether an electronic signature is required or recommended for legally binding\n      an individual to the transaction. It is up to the organization to determine the value of any\n      particular transaction and what level of security is required to reduce the risk of fraud.\n   2. Consider the signing requirements for legally enforceable electronic signatures. It is\n      critical that the electronic signature and the associated signing process satisfy all of the\n      applicable legal requirements (form of signature, intent to sign, signature must be\n      attached to or associated with the electronic record, identify and authenticate the signer,\n      and integrity of the signed record).\n   3. Conduct risk analysis to assess the likelihood and cost of not implementing enforceable\n      electronic signatures. A risk analysis should be conducted to consider the potential\n      challenges to the enforceability of an electronic signature. The risk analysis should\n      include the likelihood of a successful challenge to the validity of the electronic signature\n      and the monetary loss or other adverse impact that will result from a successful challenge\n      to the enforceability of the electronic signature. The risk analysis should address\n      concerns regarding the enforceability of the resulting signature. Specifically, the risk\n      analysis should consider the:\n          \xef\x82\xb7   Risk that an alleged signer, or other interested third party, will be able to\n              successfully repudiate the electronic signature, deny that it was made with an\n              intent to sign, or challenge the integrity of the signed record.\n          \xef\x82\xb7   Loss, cost, or other impact of such a successful challenge to the enforceability of\n              the signed record.\n       The risk analysis should reach an overall risk-level determination and be documented.\n       The risk-level determination should be used to determine the options available for each of\n       the five signature requirements in item 2 above (form of signature, intent to sign,\n       signature must be attached to or associated with the electronic record, identify and\n       authenticate the signer, and integrity of the signed record).\n   4. Decide overall risk-level determination of risk. An overall risk determination of low,\n      moderate, or high needs to be decided for the intended purpose of the transactions.\n   5. Act on the risk assessment results. The risk-level determination should be used to\n      determine the options available for each of the five signature requirements discussed in\n      item 2 above. For example, for low- and moderate-risk transactions, any electronic form\n      of signature is acceptable (clicking an on-screen button, checking an on-screen box,\n      typing one\xe2\x80\x99s name, or using a personal identification number). However, for high-risk\n      transactions, the only acceptable electronic form of signature is a cryptographically based\n      digital signature.\n\n                                                                                            Page 14\n\x0c                          While the Financial Institution Registration System\n                          Deployed on Time, Improved Controls Are Needed\n\n\n\nAccording to an IRS announcement in January 2013, \xe2\x80\x9cThe IRS has never established a formal set\nof e-signature [electronic signature] standards for the tax industry.\xe2\x80\x9d18 Further, the IRS IT\norganization has not developed or implemented an enterprise electronic signature solution or a\nstandardized web-based security solution to identify and authenticate individuals signing tax\nforms or registration forms.\nIRM 2.16.1 provides for a complete set of business system requirements to include information\nsystem requirements including functional, data, interface, information system, performance, and\noperational requirements including information system management and procedural\nrequirements.19 However, the requirements management steps completed for the FRS did not\naddress functionality for electronic signatures. These electronic signatures are applied to\nForms 8957 that are implemented with the FRS electronic registration process. Without a\nrisk-based approach to developing and implementing electronic signatures for the FRS, the IRS\nhas not yet fully considered and addressed the possibility that FRS users, including FFIs, could:\n     \xef\x82\xb7   Repudiate the electronic signature, i.e., deny checking an on-screen box or signing the\n         registration form;\n     \xef\x82\xb7   Deny any intent to sign; or\n     \xef\x82\xb7   Challenge the integrity of the record or signature.\nFurther, if the IRS cannot enforce the electronic signatures implemented with the FRS, the risk\nof monetary loss or other adverse effects could hinder goals for international tax administration\nas needed to implement the FATCA.\n\nRecommendations\n\nRecommendation 3:\xc2\xa0\xc2\xa0The Chief Technology Officer should ensure that the FATCA IT PMO\ndetermines whether the particular technology and set of procedures that comprise the signing\nprocess are as reliable as is appropriate for the intended purpose.\n\n         Management Response: The IRS disagreed with this recommendation, stating that\n         no business requirements existed to provide an e-Signature capability for the FATCA\n         FRS. The Chief Technology Officer delivered the system per business requirements.\n         TIGTA was provided with the legal analysis undertaken by the Associate Chief Counsel,\n         International, on whether an electronic signature was needed.\n         Office of Audit Comment: A documented risk-based analysis is important in\n         considering the adequacy of an electronic signature solution for the FRS. The risk\n\n18\n   IRS, Internal Revenue Bulletin No. 2013-4, Announcement 2013-8, Recommendations for Proposed e-signature\nStandards (Jan. 22, 2013).\n19\n   IRM 2.16.1.2.3.3.5, Business Solution Architecture Stage (Sept. 4, 2010).\n                                                                                                    Page 15\n\x0c                       While the Financial Institution Registration System\n                       Deployed on Time, Improved Controls Are Needed\n\n\n\n       analysis should consider the likelihood of a successful challenge to the validity of the\n       electronic signature and the monetary loss or other adverse impact from a successful\n       challenge to the enforceability of the electronic signature. Although the IRS has\n       implemented a \xe2\x80\x9ccheck in the box\xe2\x80\x9d signature solution for the FRS, the IRS could not\n       provide any evidence that it had evaluated the risks associated with its decisions prior to\n       implementing an electronic signature solution. Therefore, TIGTA cannot determine\n       whether the particular technology and set of procedures that comprise the signing process\n       are as reliable as appropriate for the intended purpose. The Chief Technology Officer\n       should monitor the LB&I Division\xe2\x80\x99s completion of the corrective action for\n       Recommendation 4 below. If the LB&I Division determines that the electronic signature\n       technology and accompanying procedures that comprise the signing process are required,\n       then the IRS should revisit the applicability of Recommendation 3 to implement an\n       electronic signature capability for the FATCA FRS.\nRecommendation 4:\xc2\xa0\xc2\xa0The Commissioner, LB&I Division, should ensure that the\nLB&I Division completes a thorough risk analysis and cost-benefit analysis to better assess\nthe likelihood and cost of not implementing enforceable electronic signatures for the FRS.\n       Management Response: The IRS agreed with this recommendation, stating that the\n       LB&I Division has provided TIGTA with a report that outlined the decision on Part Four\n       of the FATCA FRS regarding the signature. In addition, the LB&I Division is\n       completing a risk assessment to document the decision.\n       Office of Audit Comment: While the IRS agreed to complete a risk assessment, its\n       statement that the risk assessment will be performed to document the decision is\n       problematic. The decision should be based on the outcome of the risk assessment, not\n       vice versa.\n\nImprovements in System Access Controls Are Needed to Ensure\nConfidentiality and Data Integrity\nDuring our review, we found that key security documents did not adequately describe how access\ncontrols were designed and implemented for the FRS. Further,********2**************\n*******************************2***************************************. The\nfollowing criteria apply to FRS access controls, including authentication and authorization of\nsystem users:\n   \xef\x82\xb7   NIST SP 800-53 requires that the information system uniquely identifies and\n       authenticates organizational users (or processes acting on behalf of organizational users).\n   \xef\x82\xb7   NIST SP 800-53 requires that the information system enforces approved authorizations\n       for logical access to the system in accordance with applicable policy.\n\n\n\n                                                                                           Page 16\n\x0c                              While the Financial Institution Registration System\n                              Deployed on Time, Improved Controls Are Needed\n\n\n\n       \xef\x82\xb7   IRM 10.8.1 requires the developer of the information system to provide:20\n             o A description of the functional properties of the security controls to be employed.\n               Functional properties of security controls describe the functionality, i.e., the\n               security capabilities, functions, or mechanisms visible at the control interfaces.\n             o Design and implementation information for the security controls to be employed in\n               sufficient detail to permit analysis and testing of the controls, to include\n               security-relevant external system interfaces, high-level design, low-level design,\n               source code, and hardware schematics.\nOur analysis of FRS authentication and authorization controls for external and internal FRS users\nis presented in Figure 7.\n           Figure 7: Analysis of FRS Authentication and Authorization Controls\n\n                                                    Design & Implementation\nAccess\nControls                                         Authentication & Authorization\n                  *************************************2******************************************\n                  *************************************2******************************************\n                  *************************************2******************************************\n                  ****************************2************The system was developed where:\n                   \xef\x82\xb7 ********************************2********************************************\n                     *********************************2*******************************************\n                     *************2***************.\nExternal\nFRS Users          \xef\x82\xb7 **********************************2********************************.\n                   \xef\x82\xb7 External users can select their role from four predefined application roles. ***2****\n                     ******************************2**********************************.\n                   \xef\x82\xb7 Neither the System Security Plan, the Business Systems Requirements Report, nor the Design\n                      Specification Report included sufficient documentation to describe fully the access controls\n                      design, implementation, and functionality. Because of the lack of sufficient documentation, we\n                      were unable to fully evaluate access controls for external users.\n                  ******************************2*************************************************\n                  ******************************2***********************************, where:\n                   \xef\x82\xb7 ***************************************2************************.\nInternal\nFRS Users     \xef\x82\xb7 Neither the System Security Plan, the Business Systems Requirements Report, nor the Design\n                  Specification Report included sufficient documentation to fully describe the access controls\n                  design, implementation, and functionality. Because of the lack of sufficient documentation, we\n                  were unable to fully evaluate access controls for internal users. \xc2\xa0\nSource: TIGTA discussions and review of security documentation.\n\n\n\n20\n     IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance (May 3, 2013).\n                                                                                                             Page 17\n\x0c                       While the Financial Institution Registration System\n                       Deployed on Time, Improved Controls Are Needed\n\n\n\nThe importance of adequate system access controls is well documented in Federal policy and\nguidance. NIST SP 800-53 states that a security incident could result in a breach to the\ninformation system, producing a loss of confidence by the organization in the confidentiality,\nintegrity, or availability of information processed, stored, or transmitted by the system. More\nspecifically, because FRS security documentation was insufficient and the*****2****\n**********************************2*******************, we could not fully evaluate\nthe adequacy of FRS access controls.\n\nRecommendations\nRecommendation 5:\xc2\xa0\xc2\xa0The Chief Technology Officer should ensure that the developer\nprovides design and implementation documentation for the system security access controls in\nsufficient detail to permit analysis and testing of the controls.\n       Management Response: The IRS disagreed with this recommendation, stating that\n       the FRS is fully documented in the approved Design Specification Report. ***2***is\n       appropriately referenced as part of the design, but a detailed design for this tool is not\n       required as part of the Design Specification Report. The IRS also notes that the FRS was\n       designed and developed by a fully integrated team of IRS and contractor personnel\n       managed by IRS leadership.\n       Office of Audit Comment: Security documentation in sufficient detail to enable\n       analysis and testing of security controls is required for the FRS. Although the Design\n       Specification Report references***2***, it does not provide sufficient detailed\n       information on how to facilitate internal users\xe2\x80\x99 access controls. More critically, there is\n       an absence of documentation for the**************2************************\n       **********************2*******************************.\nRecommendation 6:\xc2\xa0\xc2\xa0The Chief Technology Officer should mitigate the risks associated with\nusing*******************************2*****************************************\n**********2***********.\n       Management Response: The IRS disagreed with this recommendation, stating that it\n       followed the process established at the time. **********2******************\n       ******************************2*****************************************\n       **********************2*************************As part of the IRS\xe2\x80\x99s normal\n       infrastructure review, a later version of the framework will be considered.\n       Office of Audit Comment: **************2*************************\n       *********************************2**************************************\n       ***************************2***************************************.\n       TIGTA maintains that this risk requires definitive corrective actions to ensure adequate\n       system security for the FRS. *******************************2********\n\n\n                                                                                            Page 18\n\x0c                          While the Financial Institution Registration System\n                          Deployed on Time, Improved Controls Are Needed\n\n\n\n       **********************************2*************************************\n       *********2********************.\n\nImproved Traceability of System Requirements to Testing Can Be\nAchieved Through Available Automated Tools\n\nAccording to IRM 2.16.1, requirements management requires end-to-end traceability from\ncustomer needs, to requirements, to logical design, to physical design , to test cases, and to test\nresults to verify that demonstrated functionality is consistent with required functionality.\nThe Rational RequisitePro (ReqPro) automated tool is the IRS\xe2\x80\x99s Enterprise Architecture standard\nfor requirements management during system development . The IBM Rational Quality Manager\n(RQM) automated tool is the IRS\xe2\x80\x99s Enterprise Architecture standard for test case management\nduring systems development. For FRS Release 1.1, ReqPro was used to generate a\nRequirements Traceability Verification Matrix to record and track requirements from inception\nthrough Systems Acceptability Testing (SAT) of the requirements. SAT management stated that\nthey do not currently use full automation afforded by the Rational Tools Suite to integrate\nReqPro with RQM for the FRS. Regarding the use of RQM for the FATCA, SAT management\nstated that they are moving away from the use of manual spreadsheets to implementing\nrequirements in RQM, which will allow better traceability in the future. FATCA Program, FRS\nProject, and stakeholder personnel should fully use ReqPro and RQM to maintain bidirectional\ntraceability from requirements to test cases to test results and thereby ensure that all requirements\nare fully tested prior to deployment. Figure 8 shows an overview provided to TIGTA on how\nthese automated tools are used during IRS systems development processes.\n                         Figure 8: IRS Requirements Management and\n                              Test Management Automated Tools\n\n                            Enterprise Architecture\n    Current Tool(s)                                                           IRS Usage\n                            Recommended Standard\n   ReqPro                 Rational Requirements Composer      Create requirements and business rules\n   Rational ClearCase,                                        Track defects for testing and development\n                          Rational Team Concert\n   Rational ClearQuest                                        and allow traceability\n                                                              Manage requirements and test cases, and\n   RQM                    RQM\n                                                              provide defect reporting\n                                                              Produce the Requirements Traceability\n   Rational Insight       Rational Insight\n                                                              Verification Matrix and create dashboards\n\n   Rational System        Rational System Architect           Create business process models and provide\n   Architect              System Architect Web Client         bidirectional traceability\n\n Source: IRS Rational Tools Integration Overview and Next Steps, December 6, 2013.\n\n                                                                                                        Page 19\n\x0c                        While the Financial Institution Registration System\n                        Deployed on Time, Improved Controls Are Needed\n\n\n\nIn March 2013, to implement complete requirements traceability, the IRS initiated a tools\nassessment to determine how to fully integrate and leverage the IRS\xe2\x80\x99s investment in IBM\xe2\x80\x99s\nRational Tools Suite. The assessment identified the following benefits:\n   \xef\x82\xb7   Complete traceability from requirements to test cases to test results.\n   \xef\x82\xb7   Improved visibility into project status and performance through customizable dashboards\n       at the individual, project, and program level.\n   \xef\x82\xb7   Integrated logical repository linking components to business architecture, design, and\n       operations enabling for synchronization across artifacts.\n   \xef\x82\xb7   Enhanced team collaboration capabilities.\n   \xef\x82\xb7   Standardization across the enterprise to provide an established set of uniform standards,\n       processes, and artifacts.\nOn November 18, 2013, the Associate Chief Information Officer, Enterprise Services, agreed to\ntake ownership of the Rational Tools Suite and governance process and identified the following\nnext steps:\n   \xef\x82\xb7   Establish governance and tool ownership processes.\n   \xef\x82\xb7   Drive Rational Tools Suite adoption.\n   \xef\x82\xb7   Define the Rational Tools Implementation Toolkit to meet the needs of simultaneous\n       adoption for the enterprise.\n   \xef\x82\xb7   Build and deploy a Rational Tools Implementation Toolkit.\n\nRecommendation\nRecommendation 7:\xc2\xa0\xc2\xa0The Chief Technology Officer should ensure that a standard suite of\nintegrated, automated tools is implemented to manage future FATCA system requirements, test\ncases, and bidirectional traceability.\n       Management Response: The IRS disagreed with this recommendation, stating that\n       the FRS was developed using the most current set of integrated, automated tools\n       available, which are still the current standard. At such time when newer tools become\n       available, the FRS will migrate to those along with the rest of the IT organization.\n       Office of Audit Comment: TIGTA recommends that the FATCA IT PMO take the\n       initiative to fully implement the most effective and efficient tools currently available to\n       ensure complete FATCA requirements traceability. Complete requirements traceability\n       for FATCA systems is needed to ensure successful requirements management, that the\n       systems meet required functionality, and that IRS business needs are adequately\n       addressed.\n\n                                                                                            Page 20\n\x0c                              While the Financial Institution Registration System\n                              Deployed on Time, Improved Controls Are Needed\n\n\n\n                                                                                       Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether the IRS has adequately mitigated system\ndevelopment risks for the FRS Project. To accomplish our objective, we performed the\nfollowing procedures:\nI.         Determined the effectiveness of risk management controls in place for the FATCA\n           Program and the FRS Project, including system and Enterprise Architectures, budget\n           provisions, system or project requirements1 management processes, performance\n           measures and milestones, system development life cycle, and other applicable IRM\n           guidance.\n           A. To obtain an understanding of the FRS as deployed, requested that the IRS provide a\n              demonstration of the FRS that was deployed on December 9, 2013.\n           B. Ensured that FATCA risks are properly identified, monitored, and mitigated in\n              accordance with applicable guidance.\n           C. Reviewed the FATCA Program and FRS Project Enterprise Architecture and\n              determined whether the IRS plans to or has implemented technologies pertaining to\n              electronic signatures or digital signatures and complied with guidance to Federal\n              Agencies.\n           D. Inquired and documented the IRS\xe2\x80\x99s funding strategy for the FATCA Program. We\n              documented approved funding and actual expenditures for the FATCA Program for\n              Fiscal Years 2011\xe2\x80\x932014.\n           E. Obtained, reviewed, and evaluated FATCA Program and FRS Project defined\n              business performance measures for information technology systems that relate to\n              legislative responsibilities and goals for improving tax administration. We\n              ascertained if measures are being monitored and achieved.\n           F. Obtained an understanding of tools that the IRS IT organization is using to design,\n              develop, test, and deploy the FATCA system. This information will be used for\n              future audit planning purposes.\n           G. Developed a timeline to identify key legislative, regulatory, and business drivers for\n              the system. We also included key milestones and deadlines that affect systems\n              development. We documented the size of the FFI population and number of IGAs.\n\n\n1\n    See Appendix IV for a glossary of terms.\n                                                                                              Page 21\n\x0c                           While the Financial Institution Registration System\n                           Deployed on Time, Improved Controls Are Needed\n\n\n\nII.     Determined whether SAT of FRS Release 1.1 was performed in accordance with\n        established IRS testing guidelines and evaluate test plan documentation and test results\n        for the project.\nIII.    Determined whether required system security requirements are guiding the FRS Project.\n        We ensured that security testing was adequately planned and executed and considered the\n        status of project responses for possible failed test cases.\n        A. Reviewed security guidelines including IRM 10.8.12 and NIST SP 800-53.3\n        B. Compared the controls in the FRS System Security Plan to the required FATCA\n           moderate category security controls contained in NIST SP 800-53 to ensure that the\n           required NIST security controls have been incorporated into the FATCA systems.4\n           For any required NIST moderate security controls that were not included in the\n           System Security Plan, we discussed the controls with the Cybersecurity organization\n           to assess the potential impact of not including the controls.\n        C. Obtained and reviewed the System Security Plan to identify the security controls that\n           should be designed into the FATCA Program. We ensured that the IRS has traced\n           security requirements to security controls to security test cases and results.\n        D. For security controls in the System Security Plan, identified controls with an\n           implementation status of partially in place or not in place. We determined if these\n           security controls were properly resolved prior to deployment.\n        E. Determined if an authorization to operate was approved by an appropriate official for\n           the FRS Project as deployed to date; the authorization to operate should be dated prior\n           to deployment.\n        F. Determined that adequate security controls have been implemented to protect the FRS\n           database by reviewing authentication and authorization of internal and external users.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined that the\nfollowing internal controls were relevant to our audit objective: the IRM and related IRS and\n\n2\n  IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance (Dec. 23, 2013).\n3\n  NIST, NIST SP 800-53 Rev. 3, Information Security: Recommended Security Controls for Federal Information\nSystems and Organizations (Aug. 2009). Also, NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal\nInformation Systems and Organizations (April 2013) (includes updates as of Jan. 15, 2014).\n4\n  The IRS has rated the FRS in the moderate category per NIST guidelines. The moderate security categorization\ndescribes the potential adverse impacts to IRS operations, assets, and individuals should the information and\ninformation system be compromised through a loss of confidentiality, integrity, or availability.\n                                                                                                       Page 22\n\x0c                       While the Financial Institution Registration System\n                       Deployed on Time, Improved Controls Are Needed\n\n\n\nFederal Government guidelines and the processes followed in the development of information\ntechnology projects. We evaluated these controls by conducting interviews with management\nand staff, observing testing activities, and reviewing documentation. Documents reviewed\nincluded the FATCA IT PMO Program Management Plan, the FATCA IT PMO Risk\nManagement Plan, and other documents that provided evidence of the extent to which the IRS is\nadequately managing systems development risks for the FATCA Program.\n\n\n\n\n                                                                                      Page 23\n\x0c                       While the Financial Institution Registration System\n                       Deployed on Time, Improved Controls Are Needed\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nGwendolyn McGowan, Director\nCarol Taylor, Audit Manager\nMark Carder, Lead Auditor\nHung Dam, Information Technology Specialist\nKevin Liu, Technical Audit Group Manager\nSylvia Sloan-Copeland, Senior Auditor\nLynn Ross, Senior Auditor\nLarry Reimer, Information Technology Specialist\n\n\n\n\n                                                                                       Page 24\n\x0c                     While the Financial Institution Registration System\n                     Deployed on Time, Improved Controls Are Needed\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nDeputy Commissioner, Large Business and International Division SE:LB\nDeputy Commissioner (International) Executive Assistant SE:LB:IN\nDeputy Chief Information Officer for Operations OS:CTO\nDirector, Privacy, Governmental Liaison and Disclosure OS:P\nAssociate CIO, Applications Development OS:CTO:AD\nAssociate CIO, Cybersecurity OS:CTO:C\nAssociate CIO, EIT PMO OS:CTO:EI MP\nDirector, Risk Management Division OS:CTO:SP:RM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                             Page 25\n\x0c                    While the Financial Institution Registration System\n                    Deployed on Time, Improved Controls Are Needed\n\n\n\n                                                                                    Appendix IV\n\n                                       Glossary\n\nTerm               Definition\nApplication        In information technology, the use of a technology, system, or product.\n\nArtifact           One of many kinds of tangible by-products produced during the development of\n                   software. Some artifacts help describe the function, architecture, and design of\n                   software. Other artifacts are concerned with the process of development itself\xe2\x80\x94\n                   such as project plans, business cases, and risk assessments. In connection with\n                   software development, artifacts are largely associated with specific development\n                   methods or processes.\n\nBidirectional      Bidirectional traceability of requirements can be established from the source\nTraceability       requirement to its lower level requirements and from the lower level requirements\n                   back to their source. Such bidirectional traceability helps determine that all source\n                   requirements have been completely addressed and that all lower level requirements\n                   can be traced to a valid source. Also, once test cases are developed for associated\n                   requirements, bidirectional traceability enables requirements to trace to test cases\n                   and test cases to trace to requirements.\nBusiness Objects   A broad category of business processes that are modeled as objects. A business\n                   object can be as large as an entire order processing system or a small process\n                   within an information system.\n\nBusiness Systems   This report documents a feasible, quantified, verifiable set of requirements that\nRequirements       define and bound the business system or subsystem(s) being developed or\nReport             enhanced by the project.\n\nCustomer Account   The technology foundation that will provide the IRS with the capability to manage\nData Engine        its tax accounts in a way that is central to the achievement of the IRS\xe2\x80\x99s\n                   modernization vision. This system\xe2\x80\x99s goal is to create current, complete, and\n                   accurate authoritative data stores and construct the related tax administration\n                   systems processes.\n\nDesign             Documents the logical and physical design of a proposed solution from all\nSpecification      applicable perspectives. The Design Specification Report is created in the\nReport             Preliminary Design phase (Milestone 3) and is updated with physical design details\n                   during the Detailed Design phase (Milestone 4A).\n\n\n\n\n                                                                                              Page 26\n\x0c                     While the Financial Institution Registration System\n                     Deployed on Time, Improved Controls Are Needed\n\n\n\nTerm                Definition\nDigital Signature   Encrypted data produced by a mathematical process applied to a record using a\n                    hash algorithm and public key cryptography. The encrypted data are such that a\n                    person having the initial record and the public key that allegedly corresponds to the\n                    private key used to create the encrypted data can accurately determine: (1) whether\n                    the encrypted data were created using the private key that corresponds to such\n                    public key and (2) whether the initial message has been altered since the encrypted\n                    data were created. The encrypted data constituting the digital signature are\n                    sometimes used as an electronic signature, are sometimes used as part of a process\n                    to authenticate a person or device, and are sometimes used to verify the integrity of\n                    the record.\n\nElectronic Fraud    The primary application used by the Wage and Investment Division\xe2\x80\x99s Return\nDetection System    Integrity and Correspondence Services to process revenue protection activities.\n\nEmployee User       IRS portal that allows IRS employee users to access IRS data and systems, such as\nPortal              tax administration processing systems, financial information systems, and other\n                    data and applications, including mission-critical applications. Modernization\n                    registration and authentication are required for access to sensitive and\n                    mission-critical applications, and all user interactions with those systems are\n                    encrypted from workstation to portal across the IRS internal network. It allows IRS\n                    employee users with local area network accounts (Windows Network Login) to\n                    access Intranet sites, selected applications, nonsensitive data, and selected sensitive\n                    processing for which network encryption and modernization logon are not required\n                    (e.g., employee access to selected elements of their own personnel data). IRS\n                    network authentication is a basic requirement for access to any materials or services\n                    and is also required to access modernization registration and authentication.\nEnterprise          A unifying overall design or structure for an enterprise that includes business and\nArchitecture        organizational aspects of the enterprise as well as technology aspects. Enterprise\n                    Architecture divides the enterprise into its component parts and relationships and\n                    provides the principles, constraints, and standards to help align business area\n                    development efforts in a common direction. An Enterprise Architecture ensures\n                    that subordinate architectures and business system components developed within\n                    particular business areas and multiple projects fit together into a consistent,\n                    integrated whole.\nFiling Season       The period from January through mid-April when most individual income tax\n                    returns are filed.\nFinancial           Any foreign financial business or entity (e.g., banks, hedge funds), in which a U.S.\nInstitution (FI)    taxpayer may hold an account or financial/ownership interest, that may attempt to\n                    enter into an agreement with the IRS under the FATCA to become an approved FI.\n\n\n\n\n                                                                                                Page 27\n\x0c                      While the Financial Institution Registration System\n                      Deployed on Time, Improved Controls Are Needed\n\n\n\nTerm                 Definition\nForeign Financial    FFIs include any non-U.S. entity that accepts deposits, holds financial assets, or\nInstitution (FFI)    engages in the business of investing. This includes foreign banks, foreign branches\n                     of U.S. banks, and businesses organized under a foreign law that would be a\n                     securities broker-dealer if located in the U.S., e.g., money transmitter, currency\n                     exchanger.\nGlobal               An identification number that is assigned to a participating FFI or a registered\nIntermediary         deemed-compliant FFI after its FATCA registration is submitted and approved.\nIdentification\nNumber (GIIN)\nIntegrated           The new platform for all portal applications. It represents a multiyear upgrade to\nEnterprise Portal    the entire online portal infrastructure. It is also the first instance of an innovative,\n                     managed service, providing an external private cloud infrastructure.\nIntergovernmental    A U.S. Department of the Treasury agreement with foreign governments (countries)\nAgreement (IGA)      to implement the information reporting and tax withholding provisions of the\n                     FATCA via an automatic exchange of information. IGAs generally allow for\n                     government-to-government reporting of the information and address privacy laws\n                     and the disclosure of account holder information. Model 1 agreements require FFIs\n                     to report to the IRS through their host country taxing authorities. Model 2\n                     agreements require FFIs to report directly to the IRS.\nInternational        International Organization for Standardization is an independent, nongovernmental\nOrganization for     membership organization and the world\xe2\x80\x99s largest developer of voluntary\nStandardization      international standards.\n\n*******2******       ***************************2**************************************\n                     ***************************2**************************************\n                     *******************2*******************\nLarge Business and   The LB&I Division serves corporations, subchapter S corporations, and\nInternational        partnerships with assets greater than $10 million. These entities typically have\n(LB&I) Division      large numbers of employees, deal with complicated issues involving tax law and\n                     accounting principles, and conduct their operations in an expanding global\n                     environment.\nModernized e-File    Modernized e-File receives and processes e-file returns in an Internet environment.\n                     Many returns are received through the Registered User Portal using a component\n                     called the Internet Filing Application. Modernized e-File provides for real-time\n                     processing of acknowledgements, streamlined error detection, standardization of\n                     business rules and requirements across form types, the capability to attach portable\n                     document format files, and the capability for IRS employees to view return data\n                     through the Employee User Portal and the Business Objects Server.\n\n\n                                                                                                    Page 28\n\x0c                      While the Financial Institution Registration System\n                      Deployed on Time, Improved Controls Are Needed\n\n\n\nTerm                 Definition\nNational Institute   A nonregulatory Federal agency, within the Department of Commerce, responsible\nof Standards and     for developing standards and guidelines, including minimum requirements, for\nTechnology (NIST)    providing adequate information security for all Federal Government agency\n                     operations and assets.\nNonfinancial         Nonfinancial foreign entities are considered small, unsophisticated investment\nForeign Entities     entities like family trusts unless they are professionally managed. If professionally\n                     managed, these entities are considered FFIs, but the expectation is that the manager\n                     (also now deemed to be an FFI) will complete FATCA reporting.\nOpen Source          In production and development, a development model that promotes a universal\n                     access via free license to a product\xe2\x80\x99s design or blueprint, and universal\n                     redistribution of that design or blueprint, including subsequent improvements to it\n                     by anyone.\nParticipating FFI    A participating FFI will enter into a registration agreement with the IRS to identify\n                     U.S. accounts, report certain information to the IRS regarding U.S. accounts, and\n                     withhold a 30 percent tax on certain U.S. payments to nonparticipating FFIs and\n                     account holders who are unwilling to provide the required information.\nPersonally           PII is information that, either alone or in combination with other information, can\nIdentifiable         be used to uniquely identify an individual. Some examples of PII are name, Social\nInformation (PII)    Security Number, date of birth, place of birth, address, and biometric records.\n\nPublic User Portal   The Public User Portal (formerly the Digital Daily) is the IRS external or Internet\n                     portal that allows unrestricted public access to nonsensitive materials and\n                     applications, including forms, instructions, news, and tax calculators. No\n                     authentication is required for access to any materials on the Public User Portal.\nRegistered User      The IRS external portal that allows registered individuals and third-party users\nPortal               (registration and login authentication required) and other individual taxpayers or\n                     their representatives (self-authentication with shared secrets required) to access the\n                     IRS for interaction with selected tax processing and other sensitive systems,\n                     applications, and data. User interactions are encrypted from the user\xe2\x80\x99s workstation\n                     or system to the portal, across the Internet or via direct circuits. The Registered\n                     User Portal, via the Common Communication Gateway, also supports IRS\n                     extranets, such as the exchange of bulk files of information with the IRS and the\n                     Virtual Private Network (both inbound and outbound) by registered and authorized\n                     external entities\nRequirement          A formalization of a need that is the statement of a capability or condition that a\n                     system, subsystem, or system component must have or meet to satisfy a contract,\n                     standard, or specification.\n\n\n\n                                                                                                 Page 29\n\x0c                       While the Financial Institution Registration System\n                       Deployed on Time, Improved Controls Are Needed\n\n\n\nTerm                  Definition\nRequirements          A tool that documents requirements and establishes the traceability relationships\nTraceability          between the requirements to be tested and their associated test cases and test\nVerification Matrix   results.\n\nReturn Review         The Return Review Program is a new integrated system that adds to the IRS\xe2\x80\x99s\nProgram               capability to detect, resolve, and prevent criminal and civil tax noncompliance and\n                      fraud.\nSecurity Controls     An SCA is conducted in the IRS production environment and consists of activities\nAssessment (SCA)      designed to ensure that the system\xe2\x80\x99s security safeguards are in place and\n                      functioning as intended.\n*****2******          ***************************2**************************************\n                      ***************************2**************************************\n                      ***************************2**************************************\n                      ***************************2**************************************\n                      ***************************2**************************************\n                      ************2**************\nSponsoring Entity     A sponsoring entity is an entity that will perform the due diligence, withholding,\n                      and reporting obligations of one or more sponsored investment entities or\n                      controlled foreign corporations.\nSystems               A SAT verifies that the system satisfies software application requirements.\nAcceptability Test\n(SAT)\nWithholding Agent     A withholding agent is a U.S. or foreign person that has control, receipt, custody,\n                      disposal, or payment of any item of income of a foreign person that is subject to\n                      withholding. A withholding agent may be an individual, corporation, partnership,\n                      trust, association, or any other entity, including any foreign intermediary, foreign\n                      partnership, or U.S. branch of certain foreign banks and insurance companies.\n\n\n\n\n                                                                                                 Page 30\n\x0c                                 While the Financial Institution Registration System\n                                 Deployed on Time, Improved Controls Are Needed\n\n\n\n                                                                                                              Appendix V\n\n           Management\xe2\x80\x99s Response to the Draft Report\n\n                                               DEPARTMENT OF THE TREASURY\n                                                INTERNAL REVENUE SERVICE\n                                                  WASHINGTON, D.C. 20224\n\nCHIEF TECHNOLOGY OFFICER\n\n\n\n\n                                                        September 8, 2014\n\n\n\nMEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR_AUDIT\n\nFROM:                       Terence V. Milholland /s/ Terence V. Milholland\n                            Chief Technology Officer\n\nSUBJECT:                    While the Foreign Financial Institution Registration System Deployed on Time, Improved Controls\n                            Are Needed (Audit 201420013) (e-trak #2014-58575)\n\nThank you for the opportunity to review your draft audit report and to discuss earlier draft report observations with the audit\nteam. We appreciate TIGTA noting the timely delivery of the FATCA FI Registration System in your report.\n\nWith regard to your recommendations, we disagree with TIGTA's conclusions in the areas of performance measures, electronic\nsignature, security-specific requirements, security access controls, ****2*****, and assurance that a standard suite of integrated,\nautomated tools is implemented to manage future FATCA system requirements, test cases, and bidirectional traceability.\n\nPerformance Measures\n\nBusiness performance measures for the FATCA FI Registration System are not the responsibility of the Chief Technology\nOfficer. The Commissioner, Large Business and International, has developed business performance measures for the FATCA FI\nRegistration System. The Chief Technology Officer will incorporate these measures into the Exhibit 300 for inclusion in the FY\n2016 budget submission.\n\nSecurity-Specific Requirements\n\nThroughout the development lifecycle of the FATCA FI Registration System the appropriate system-specific security testing was\nconducted, as sanctioned by the Information Technology (IT) Cyber Security organization and governed by the IRS Information\nTechnology (IT) Security, Policy and Guidance, IRM 10.8.1. As required by IRM 10.8.1.4.15.2 SA-3 System Development Life\nCycle (SDLC), FATCA FI Registration System was developed and tested via the IRS - approved SDLC method- the IRS\nEnterprise Life Cycle (ELC).\n\nDuring Release 1.1 Drop 1, the FATCA FI Registration System went through Security Accreditation and Authorization (SA&A)\nand completely tested those security controls necessary to achieve an Interim Authority to Operate. During Release 1.1 Drop 2,\nthe FATCA FI Registration System went through an ED-SCA (Event-Driven Security Control Audit) to capture\n\n\n\n                                                                                                                          Page 31\n\x0c                                While the Financial Institution Registration System\n                                Deployed on Time, Improved Controls Are Needed\n\n\n\n\nand fully test those features and functions not previously tested during the initial SA&A. An Authority to Operate (ATO) was\nissued in November 2013, prior to the go-live date of December 9, 2013. In addition, throughout the Development Lifecycle, test\ncases relating to specific areas that tie back to security requirements, such as those governing the Access Code and FATCA ID\ngeneration, were fully tested and documented within the FATCA FI Registration System Requisite Pro repository.\n\nAs IRS followed the standard practice necessary to obtain Cybersecurity authorization to operate the FATCA FI Registration\nSystem, and as TIGTA did not find any specific examples related to FATCA FI Registration System where security testing was\ndeficient, we do not agree with this recommendation.\n\nUse of Electronic Signature\n\nDuring the course of the audit, IRS discussed with TIGTA that there were no requirements for e- Signature given to IT by the\nbusiness. The Chief Technology Officer timely delivered the system per business requirements.\n\nSecurity Access Controls\n\nTIGTA asserts that contractors have maintained all information regarding the source of design and implementation of security in\na proprietary fashion such that the IRS has no access to or knowledge of such information. This is both inaccurate and\nmisleading and leads to the inaccurate conclusion that there is potential security vulnerability in the design of the FRS based on\nsuch proprietary knowledge.\n\nA secondary issue with the recommendation is that TIGTA holds the FATCA PMO responsible for fully documenting the\nauthentication and access control capabilities for ***2***, a tool used by the application. IRS disagrees that the FATCA FI\nRegistration System documentation should contain detailed design information for ***2***. ***2*** is a common use service\nwithin IRS that is leveraged by many applications including the FATCA FI Registration System. IRS fully tested all access\ncontrols that were integrated with ***2*** to ensure the roles-based accesses were working as designed. These tests are fully\ndocumented within the Requisite Pro repository, and traced to requirements and results.\n\n**********2*********\n\nThe version of ************2********used to create the access controls and authentication for the external users of the\nFinancial Institution Registration System was the most current version available at the time. As part of Information Technology's\nnormal infrastructure review process, we will consider a newer version of the Framework, if approved for use on IRS systems.\n\nStandard Suite of Integrated Tools\n\n\n\n\n                                                                                                                         Page 32\n\x0c                                While the Financial Institution Registration System\n                                Deployed on Time, Improved Controls Are Needed\n\n\n\n\nWe disagree that the Chief Technology Officer should specifically ensure that a standard suite of integrated, automated tools is\nimplemented to manage future FATCA system requirements, test cases, and bidirectional traceability. FATCA FI Registration\nSystem completely documented system requirements and traceability using the existing suite of IRS approved tools. This\nrecommendation has already been addressed in other audit reports, and IRS is responding to this recommendation at the\nEnterprise level.\n\nWe are committed to continuously improving IRS information technology systems and processes. We value your continued\nsupport, and the assistance and guidance your team provides. Our corrective action plan for the recommendations is attached. If\nyou have any questions, please contact me at (202) 317-5000, or a member of your staff may contact Lisa Starr, Program\nOversight Manager Coordination Manager, at (240) 613-4219.\n\n\nAttachment\n\n\n\n\n                                                                                                                         Page 33\n\x0c                                 While the Financial Institution Registration System\n                                 Deployed on Time, Improved Controls Are Needed\n\n\n\n\nRECOMMENDATION #1: The Chief Technology Officer should ensure that the IRS Information Technology organization\nand the LB&I Division coordinate to timely develop and implement adequate business performance measures to quantify net\nbenefits for information technology investments in support of the FATCA.\n\nCORRECTIVE ACTION #1: The Commissioner, Large Business and International, is responsible for the business measures\nfor the FATCA FI Registration System and has developed these measures. The Chief Technology Officer will incorporate these\nmeasures in the OMB Exhibit 300 for the IRS\xe2\x80\x99s FY 2016 budget submission.\n\nIMPLEMENTATION DATE: January 25, 2015\n\nRESPONSIBLE OFFICIAL: Deputy Commissioner (International), Large Business and International\n\nCORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management\nEnterprise System (JAMES). These Corrective Actions are monitored on a monthly basis until completion.\n\nRECOMMENDATION #2: The Chief Technology Officer should ensure that system-specific security requirements are traced\nto test cases, and test cases to test results to ensure the completeness of Financial Institution Registration System security testing.\nThis will also provide assurance that adequate system-specific security will be in place throughout the lifecycle of the FRS.\n\nCORRECTIVE ACTION #2: The IRS disagrees with this recommendation. There were no specific findings from this audit\nrelated to any specific test cases as documented within the Financial Institution Registration System Requisite Pro repository that\nwere presented to the IRS as examples of a deficiency. Instead, TIGTA presented the recommendation based on a one-time\ninitiative taken by the CADE2 project wherein every NIST Security Control had been traced in some manner to some type of\ntesting and included in the CADE2 security documentation. This is not a standard practice within IRS.\n\nIMPLEMENTATION DATE: N/A\n\nRESPONSIBLE OFFICIAL: N/A\n\nCORRECTIVE ACTION MONITORING PLAN: N/A\n\nRECOMMENDATION #3: The Chief Technology Officer should ensure that the FATCA IT PMO determines whether the\nparticular technology and set of procedures that comprise the signing process are as reliable as is appropriate for the intended\npurpose.\n\nCORRECTIVE ACTION #3: No business requirements existed to provide an e-Signature capability for the FATCA FI\nRegistration System. The Chief Technology Officer delivered the system per business requirements. TIGTA was provided with\nthe legal analysis undertaken by the Associate Chief Counsel (International) on whether an electronic signature was needed.\n\n\n\n\n                                                                                                                             Page 34\n\x0c                                While the Financial Institution Registration System\n                                Deployed on Time, Improved Controls Are Needed\n\n\n\n\nIMPLEMENTATION DATE: N/A\n\nRESPONSIBLE OFFICIAL: N/A\n\nCORRECTIVE ACTION MONITORING PLAN: N/A\n\nRECOMMENDATION #4: The Commissioner, LB&I Division, should ensure that the LB&I Division completes a thorough\nrisk analysis and cost-benefit analysis to better assess the likelihood and cost of not implementing enforceable electronic\nsignatures for the FRS.\n\nCORRECTIVE ACTION #4: LB&I has provided TIGTA with a report that outlined the decision on Part Four of the FATCA\nregistration system regarding the signature. In addition, we are completing a risk assessment to document the decision.\n\nIMPLEMENTATION DATE: October 25, 2014\n\nRESPONSIBLE OFFICIAL: Deputy Commissioner (International), Large Business and\nInternational Division\n\nCORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management\nEnterprise System (JAMES). These Corrective Actions are monitored on a monthly basis until completion.\n\nRECOMMENDATION #5: The Chief Technology Officer should ensure that the developer provides design and\nimplementation documentation for the system security access controls in sufficient detail to permit analysis and testing of the\ncontrols.\n\nCORRECTIVE ACTION #5: The IRS disagrees with this recommendation. The application is fully documented in an\napproved Design Specification Report (DSR). ***2***is appropriately referenced as part of the design, but a detailed design for\nthis tool is not required as part of the application DSR.\n\nAdditionally, in a previous response to a draft version of this Audit Report, TIGTA was requested to remove all reference to \xe2\x80\x9cthe\ncontractor\xe2\x80\x9d as it related to \xe2\x80\x9cthe developer\xe2\x80\x9d and any inferences that the FATCA FI Registration System was developed solely by\nan outside organization. The Financial Institution Registration System was designed and developed by a fully integrated team of\nIRS and Contractor personnel managed by IRS leadership.\n\nIMPLEMENTATION DATE: N/A\n\nRESPONSIBLE OFFICIAL: N/A\n\nCORRECTIVE ACTION MONITORING PLAN: N/A\n\nRECOMMENDATION #6: The Chief Technology Officer should mitigate the risks associated with using an\n***********************2********************************.\n\n\n\n\n                                                                                                                         Page 35\n\x0c                               While the Financial Institution Registration System\n                               Deployed on Time, Improved Controls Are Needed\n\n\n\n\nCORRECTIVE ACTION #6: The IRS disagrees with this recommendation. IRS followed the process established at the time.\nThe version of **********2*****************************************************************************\n*********************************2*******************************************************************\n****************************************2*********************. As part of our normal infrastructure review, a later\nversion of the Framework will be considered.\n\nIMPLEMENTATION DATE: N/A\n\nRESPONSIBILE OFFICIAL: N/A\n\nCORRECTIVE ACTION MONITORING PLAN: N/A\n\nRECOMMENDATION #7: The Chief Technology Officer should ensure that a standard suite of integrated, automated tools is\nimplemented to manage future FATCA system requirements, test cases, and bidirectional traceability.\n\nCORRECTIVE ACTION #7: The IRS disagrees with this recommendation. The Financial Institution Registration System was\ndeveloped using the most current set of integrated, automated tools available, which are still the current standard. At such time\nwhen newer tools become available, the Financial Institution Registration System will migrate to those along with the rest of the\nInformation Technology organization.\n\nIMPLEMENTATION DATE: N/A\n\nRESPONSIBLE OFFICIAL: N/A\n\nCORRECTIVE ACTION MONITORING PLAN: N/A\n\n\n\n\n                                                                                                                       Page 36\n\x0c"